What’s the best low cost small business firewall router. Looking for these features:
VPN Server (pref OpenVPN)
Dual WAN for failover
Firewall incoming traffic filtering by:
IP address & port (basic)
Geolocation/country
Blacklists (like pfBlocker-NG or similar)
Above filtering to work both for port forwarded hosted services & VPN server (some firewalls will have separate settings for VPN server which may be more restrictive instead of using general firewall filtering rules)
QoS or bandwidth limiting of any sort to help prevent sudden download spikes from affecting VoIP phone call quality
DHCP server with reservations - preferably with CSV import/export
DNS proxy with conditional forwarding to forward queries for internal domain to internal DNS server
Reliability of hardware is important: will likely be single unit, rather than HA pair.
TP-Link ER605 SafeStream Gigabit Multi-WAN VPN Router meets some of these requirements, but likely not all (unsure). pfSense is an option and meets all above, but not sure what is the best hardware? Netgate 2100 is an option, but is not widely supplied and at the higher end of the pricepoint here in Australia, so is there any other pfSense hardware that makes sense? I haven’t used Ubiquiti Dream Machine so not sure if that meets all above, but this might be an option. Is there anything else others can suggest?
FortiGate 60F is relatively cheap with all those functionalities except maybe blacklists/category filtering, that doesn’t require an active entitlement subscription.
You can buy used unit off eBay at around 200-300$.
Netgate 2100 is an option, but is not widely supplied and at the higher end of the pricepoint here in Australia
A Netgate 2100 is $350 USD, which is $535 AUD. Or 1/3 the price of a flagship smart phone. Might need to reset those budget expectations for a device that’ll make or break most businesses.
I have been building secure networks for almost 25 years and have used practically every firewall out there. IMO PFSENSE on a purpose built server or on Netgate is the way to go. Don’t get me wrong, I love my million dollar subscription to Palo, but if I had to give up my fancy firewalls I could almost get like for like functionality out of a pfsense box.
Don’t use OpenVPN in 2024, use Wireguard, much faster and easier to maintain/setup, even for SMB. You want a bit much from your firewall, are you sure your firewall should run all these functions, and well, not just be a firewall? Do you need IDS/IPS/DPI? What’s the uplink speed? Because that matters in terms of hardware. Will the firewall also be the router? For how many networks/VLAN’s at what speeds? Who will support the device? You? Third party?
Edit: WTF is wrong with you heffers and the downvotes?! It’s a sampler yo, sure it’s an Atom, but I ain’t doing the shopping for OP. They can easily look around that whole site for something beefier and get an idea of what to ask for locally. Shit, even eBay is a resource. Old Watchguard Fireboxes are x86 boards with multiple ports. Have been running one at a client for three years.
For a small business, I would go with the 40FWifi. Has great throughput, lower cost, has dual cellular card slots for failover. License is basically the cost of the firewall hardware each year. Retail for hardware and 1 year license is under $1000.
The HW isn’t expensive, but the license is! But yeah, you can do a lot without a license as well. If you buy a used one, you should really try to get the seller to contact the support and transfer the FortiGate to your account. Otherwise, you will never be able to buy a license to that FortiGate… The F-series are nice!
You may not be able to beat equipment cost if you have some hardware laying around but you can certainly beat the operational costs over time. A sever chassis doing basic firewall/VPN may pull 200 W. Say you pay $0.19 per kWhr that’s roughly $0.04 per hour to run. Something purpose built such as a $100 MikroTik that can handle that load costs 5 times less to run and the break even point is about 140 days of operation (where the open of the server chassis versus the capex+opex of purpose built hardware actually meet) and after that you are actually saving money having gone out and purchased hardware for the task.
All I’m really saying, just because you are using hardware you had laying around and/or a free tier of network OS doesn’t always mean it’s the lowest total cost for the task.
Ignore the downvotes, MikroTik is absolutely a valid option in this case. Of course, not the only one, but definitely an option, and not the worst one either.
Getting used to the way the MikroTik configuration works may be a bit daunting, but it works, is reliable (especially compared to the price) and offers all features one could need. But yes, it’s scary, new and not Cisco or Juniper, so it must be met with downvotes!!1